Skip to main content

How to securely embrace shadow IT in the enterprise

The rise of digital technology like cloud computing, mobile, social and the Internet of Things has left an indelible mark on the modern workplace. How we engage with one another today is far different than what it was even five or ten years ago, and we now expect to have instant, anywhere access to information and each other wherever we go.

At the start of this transformation, enterprises struggled to keep pace with their users’ technology demands while also maintaining security. However, we’ve come a long way since then. Currently, enterprise adoption of cloud computing is on the rise, with 75 per cent of organisations worldwide implementing or using at least one cloud application and 90 per cent of IT leaders identifying that their use of cloud applications will increase significantly or somewhat over the next five years according to Cloud Sherpas’ 2015 Enterprise Cloud Report.

These increases in cloud adoption are no doubt excellent news, as a comprehensive cloud strategy can deliver numerous benefits around efficiency, collaboration, innovation, engagement, adaptability and intelligence. But the cloud is a different environment than the on premise world, and as such it creates new challenges.

Cloud technology has its shadows

Perhaps one of the most notable differences between the cloud and on premise environments is the presence of shadow IT. While the cloud’s simplicity often proves a significant benefit, it has paved the way for shadow IT, or the practice of users implementing enterprise technology on their own without IT approval. And although the Cloud Security Alliance found that only 8 per cent of companies know the extent of shadow IT in their organisations, these activities are actually quite prevalent. In fact, CipherCloud reports that 86 per cent of cloud applications used by enterprises are unsanctioned by IT.

Traditionally, IT departments have cast shadow IT in a negative light, and for good reason. Shadow applications pose several challenges and risks. Most notably:

1. They’re siloed, and this lack of integration might mean that users miss out on valuable intelligence or efficiency opportunities.

2. They’re procured and managed by users, who don’t have the same experience with these activities as skilled IT professionals. This becomes especially problematic if application issues arise.

3. They pose security risks, including a loss of data since these applications are tied to user tenure with the company and there’s the potential that they might not provide the appropriate level of security or align with your security policy.

It’s time to recognise the value hiding in the shadows

Despite these downsides, shadow IT also has significant upsides and can even create added business value. For example:

1. Users engage in shadow IT when they have a need to satisfy or find a new way to work more efficiently, both of which are good intentions. If shadow applications can fulfill those goals, users can produce better results for the business.

2. Shadow IT empowers users by putting them in a position to make decisions about how to solve challenges they encounter every day. And who is better equipped to understand those challenges and identify a solution than those who are closest to them?

3. Shadow IT can keep IT teams more informed about user needs, especially when “crowdsourcing” occurs and multiple users go after the same (or same type of) application.

Of course in order to realise these positives, IT needs to change its approach to shadow IT. While a complete lockdown is too strict (and will likely push these activities further out of IT’s view) a free-for-all is too lenient. To truly make the most of what shadow IT has to offer, you need to balance the risks and values by setting guidelines about when shadow IT is okay and when these activities are too much and need to come under IT control.

6 guidelines to securely embrace shadow IT

To strike this balance, I recommend setting guidelines around the following six points:

1. Application Footprint: Once an application exceeds 5-10 users, IT needs to step in. This should start with an admin account, owning the billing relationship and provisioning/deprovisioning users, with responsibilities growing alongside use.

2. Application Cost: If an application costs more than $500/year, IT needs to own it.

3. Application Duplication: Users should not be allowed to use shadow applications that accomplish the same objectives as an application already introduced by IT. Additionally, if users pursue similar shadow applications and the combined use exceeds the footprint threshold, use should be consolidated into one application under IT control.

4. Data Value: If shadow applications store data that would create problems if lost or stolen, IT needs to manage those applications. Furthermore, if any shadow applications could provide increased intelligence if they were integrated with other enterprise applications, they need to come under IT control.

5. Performance Efficiency: Similar to the last point regarding data value, if there are applications similar to those pursued by users that would integrate closely with enterprise technology currently in place and provide efficiency gains as a result, they should come under IT control.

6. Data Security: If the use of any shadow applications will open IT to vulnerabilities due to lack of firewall protection or if the data these applications store will cause issues if compromised, then IT needs to take over. This guideline requires you to first identify what constitutes sensitive data for your organisation.

How will you turn on the light?

As cloud adoption continues to grow, so too will shadow IT. There’s no stopping this behaviour, and perhaps that’s a good thing given the many benefits it can provide. However, IT needs to learn how to properly manage shadow IT in order to capitalise on these benefits, and realise that management starts by striking a balance between complete lockdown and total free-for-all. Introducing the six guidelines outlined above can help create that balance and light the path for securely embracing shadow IT.

David Hoff is the Chief Technology Officer of Cloud Sherpas

Image Credit: Shutterstock/Stefano Tinti